* unwanted rule showing in various chains
@ 2006-04-26 19:37 Tom Hurst
0 siblings, 0 replies; only message in thread
From: Tom Hurst @ 2006-04-26 19:37 UTC (permalink / raw)
To: netfilter
Hello,
I'm having some trouble setting up my tables the way I would like
them. What I'm trying to do is;
1) allow ssh into the router on the $WAN interface
2) allow vnc in to various internal machines
3) allow http, https, ftp, and dns (to the ISP Name Servers) out in a
statefull manor from all internal PC's
4) allow ssh from the router to select internal PC's
5) block everything else.
I believe it to be almost complete but there are rules in various
places to "ACCEPT all from anywhere" and I dont know whats
causing them.
Any help would be greatly appreciated.
Thank you,
Tom
##################################################
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp
option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP icmp -- anywhere anywhere
DROP gre -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
DROP icmp -- anywhere anywhere
DROP gre -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.5.170 tcp dpt:5900
Chain input_rule (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:5900
DROP icmp -f anywhere anywhere
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain output_rule (1 references)
target prot opt source destination
ACCEPT udp -- (ISP DNS Server) anywhere udp
spt:53 state NEW,ESTABLISHED
ACCEPT udp -- (ISP DNS Server) anywhere udp
spt:53 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:80 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:443 state NEW,ESTABLISHED
##################################################
/etc/init.d/S45firewall
#!/bin/sh
## Please make changes in /etc/firewall.user
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j DROP # allow ICMP
iptables -A INPUT -p gre -j DROP # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -j DROP
iptables -P INPUT DROP
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j DROP
iptables -A OUTPUT -j DROP
iptables -P OUTPUT DROP
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
iptables -P FORWARD DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
######################################################
USER RULES /etc/firewall
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
WIFI=$(nvram get wifi_ifname)
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
######PREROUTING#######
#Allow SSH on the WAN interface
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
#Allow VNC on WAN interface
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j ACCEPT
#QOS For FTP
iptables -A prerouting_rule -t mangle -p tcp --sport 21 -j TOS
--set-tos Minimize-Delay
iptables -A prerouting_rule -t mangle -p tcp --sport 20 -j TOS
--set-tos Maximize-Throughput
#VNC
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j DNAT
--to (Internal PC):5900
#######INPUT#######
#######(connections with the router as destination)
#Allow SSH on the WAN interface
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
#Allow VNC on WAN interface
iptables -A input_rule -i $WAN -p tcp --dport 5900 -j ACCEPT
# Allow all LAN traffic to router"
#iptables -A input_rule -i br0 -s $LAN -m state --state NEW -j ACCEPT
# icmp_packets
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
iptables -A input_rule -i $WAN --fragment -p ICMP -j DROP
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
iptables -A input_rule -i $WAN -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
iptables -A input_rule -i $WAN -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#Default INPUT Drop
#iptables -P INPUT DROP
#######OUTPUT#######
#######(connections with the router as source)
#########TEST##############
#Allow DNS
iptables -A output_rule --source (ISP DNS Server) -p udp --source-port
53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A output_rule --source (ISP DNS Server) -p udp --source-port
53 -m state --state NEW,ESTABLISHED -j ACCEPT
## http
iptables -A output_rule -o $WAN -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
## https
iptables -A output_rule -o $WAN -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
#########TEST##############
#######FORWARDING#######
#######(connections routed thru the router)
#VNC
iptables -A forwarding_rule -i $WAN -p tcp --dport 5900 -d (Internal
PC) -j ACCEPT
#Default FORWARD Drop
#iptables -P FORWARD DROP
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-04-26 19:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-04-26 19:37 unwanted rule showing in various chains Tom Hurst
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.